W32/Mimail-N

Please follow the instructions for removing worms.

You should also check your Internet Explorer settings using Tools|Internet options|General for any modifications made by the worm.

Delete the files zipzip.tmp and outlook.cfg in the Windows folder.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinMgr32

and delete it if it exists.

Close the registry editor.

W32/Mimail-N is a worm which spreads via email using addresses harvested from the hard drive of the infected computer. All email addresses found on the computer are saved in a file named outlook.cfg in the Windows folder.

In order to run itself automatically when Windows starts up the worm copies itself to winmgr32.exe in the Windows folder and adds the following registry entry to point to it:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinMgr32

The worm also modifies the following registry entry so that the Internet Explorer start page is set to http://www.anvari.org/db/fun/World_Trade_Center/Bush_Monkey.jpg:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

W32/Mimail-N creates fake PayPal web pages in the root folder named index.hta and index2.hta in order to steal personal information. The fake web pages prompt the user to enter credit card and other personal information.

W32/Mimail-N arrives in an email with the following characteristics:
Subject line: GREAT NEW YEAR OFFER FROM PAYPAL.COM!
(The subject line is followed by eight random characters.)
Message text:
*** GREAT NEW YEAR OFFER FROM PAYPAL.COM ***

Dear PayPal.com Member,

We here at PayPal.com are pleased to announce that we have a special New Year offer for you! If you currently have an account with PayPal then you will be eligible to receive a terrific prize from PayPal.com for the New Year. For a limited time only PayPal is offering to add 10% of the total balance in your PayPal account to your account and all you have to do is register yourself within the next five business days with our application (see attachment)!

If at this time you do not have a PayPal account of your own you can also register yourself with our secure application and get this great New Year bonus! If you fill out the secure form we have provided PayPal will create an account for you (it's free) and you will receive a confirmation e-mail that your account has been created.

That's not all! If you resend this letter (with its attachment) to all of your friends you may be eligible to receive another New Year bonus because the 1000 PayPal members that send the most of these to their friends will get the bonus. If you are one of these 1000 lucky members then PayPal will add 17% of your total balance to your account!

Registration is simple. Just unpack the attachment with WinZip, run the application, and follow the instructions we have provided. If you have problems opening the application then you may want to try downloading a free version of WinZip from http://www.winzip.com

Do not miss your chance at this fantastic opportunity! Thousands of our current customers have already received their prizes and now it's your turn; so hurry up and take advantage of this special offer!

Best of luck in the New Year
PayPal.com Team
Attached File: pp-app.zip

The file pp-app.zip contains a copy of W32/Mimail-N with a random filename.

W32/Mimail-N creates a copy of itself named ee98af.tmp and a copy of pp-app.zip named zipzip.tmp, both in the Windows folder. The worm also creates other helper files that are non-malicious and can simply be deleted. Such files may include:
C:\tmpcan3.txt
C:\tmppsw.txt
C:\tmpenc.txt
C:\tmppsw.txt
C:\tmpeg2.txt
C:\tmpgld.txt
C:\tmpny3.txt